Page MenuHomePhabricator

Allow video embedding from Wikimedia Commons at Diff
Open, Needs TriagePublicBUG REPORT

Description

List of steps to reproduce (step by step, including full links if applicable):

  • Take any video from Wikimedia Commons
  • Try to add it in diff using any method (embed block, html embed...)

What happens?: The videos can't be embedded directly. They can be embedded using the raw URL from Commons, but then TimedText isn't shown (and the player seems broken in the bottom). If <iframe> option is added, then some code is inserted to prevent iframe from showking. Deleting it gives a security problem and the iframe isn't load. This doesn't happen if embedding YouTube videos.

What should have happened instead?: Diff should be able to directly embed Commons videos.

Software version (if not a Wikimedia wiki), browser information, screenshots, other information, etc.:

Event Timeline

Partially related, it would be reeeeally nice to contact WordPress (VIP?), asking to add Wikimedia Commons videos in this list:

https://wordpress.com/support/wordpress-editor/blocks/embed-block/#supported-services

This would add support across all recent WordPress sites worldwide, without any other plugin.

If I understand things correctly, two parts are needed. Commons needs to provide an oEmbed response to requests (such as from WordPress) and WordPress core needs to include oEmbed support for Commons.

There are a few phabricator tickets discussing this, but the details are light.

As a workaround you can copy/paste the embed code from Commons into WordPress. You first need to add an "HTML" block to your post. It's not intuitive and attribution will not appear in the Credits section below the post.

See the video at the bottom of this post as an example: https://diff.wikimedia.org/2021/10/03/join-us-celebrate-the-eureka-effects-of-the-3rd-edition-of-wiki-loves-folklore/

It may be something related to permissions at diff then, because the code is blocked if I try to insert an iframe.

CKoerner_WMF claimed this task.

Following up on this old task. My apologies. You can embed media from Commons on Diff. When editing an article, you can use the "Custom HTML" block and the <iframe> code from the "Use this File" link on a File: page on Commons. ie.

<iframe src="https://commons.wikimedia.org/wiki/File:Ikusgela_-_Karl_Marx.webm?embedplayer=yes" width="100%" height="480" frameborder="0" ></iframe>

You can see this in action on existing articles, such as this one.

https://diff.wikimedia.org/2023/03/04/capacity-development-for-underrepresented-communities-insights-from-the-implementation-phase/

I'd love it to be an oEmbed like YouTube, but that would take some MediaWiki and WordPress development. :)

I'd love it to be an oEmbed like YouTube, but that would take some MediaWiki and WordPress development. :)

That's exactly why the WMF should work on that, because there is some development. After two years there have been a total of ZERO effort on this, that is something needed if we want to be "the central repository of free knowledge". There's no way to be central if we can't use the videos directly and must relay on Youtube or Vimeo to have playable videos at social media or Wordpress.

@CKoerner_WMF just for my curiosity, is that iframe always worked? (I think yes). If no, have we received some support from WordPress VIP?

@Theklan OK thanks for re-opening but please try to update a bit the description to clarify the current need. Since to me this seems resolved. Maybe you may want to open another Task to support this specific feature, that was probably not strictly required to close this Task, probably:

https://wordpress.com/support/wordpress-editor/blocks/embed-block/#supported-services

Marking as resolved, and adding a parent task, as this is resolved, but the issue remains.

I'd love it to be an oEmbed like YouTube, but that would take some MediaWiki and WordPress development. :)

That's exactly why the WMF should work on that, because there is some development. After two years there have been a total of ZERO effort on this, that is something needed if we want to be "the central repository of free knowledge". There's no way to be central if we can't use the videos directly and must relay on Youtube or Vimeo to have playable videos at social media or Wordpress.

I do not disagree! I've been making the same argument since 2016 :)

@CKoerner_WMF just for my curiosity, is that iframe always worked? (I think yes). If no, have we received some support from WordPress VIP?

Yes, it has always worked, at least as long as I've been doing it on Diff, so for the last 4 years. It is not very intuitive or easy. Mucking with iFrames that is.

Yes, it has always worked, at least as long as I've been doing it on Diff

Yes, but you need a permission to do that (or it used to be). A regular user gets code deleted for security reasons and is (was?) not allowed to add an iframe.

I do not disagree! I've been making the same argument since 2016 :)

According to the meta page, you are a "Senior Movement Communications Specialist". I think that after 8 years it would be interesting to have a result, and push were it should be pushed to solve this. Who should do it?

but you need a permission to do that (or it used to be). A regular user gets code deleted for security reasons and is (was?) not allowed to add an iframe.

OK, you are right. I can confirm this limitation, that has sense from the perspective of WordPress but indeed has no sense form the perspective of users of Wikimedia Commons.

I see there is a plugin to allow that, but even with that plugin, "normal" users cannot (an should not) add the iframe:

https://wordpress.org/plugins/unfiltered-mu/

Warning! This is a very dangerous plugin to activate if you have untrusted users on your site. Any user could add Javascript code to steal the login cookies of any visitor who runs a blog on the same site. The rogue user can then inpersonate any of those users and wreak havoc. If all you want is to display videos on your WordPress MU blogs, use the native Embed Support, Viper’s Video Quicktags or any of the other video plugins on WordPress.org.
If you use this plugin your site will be hacked in one way or another if you allow anonymous users on the Internet to create blogs on your site. It’s very dangerous.

Are you still 100% sure you want to use this plugin?

So, let's write somewhere, in a visible way, that videos must be saved by WordPress admins.

Plus, T364479 indeed it's the right direction.

Then, if that remains unsolved, the ticket is still open.

Yes, but you need a permission to do that (or it used to be). A regular user gets code deleted for security reasons and is (was?) not allowed to add an iframe.

That's possible. I do test things as a user with the "contributor" role, but perhaps something changed or I wasn't as thorough. I'll test this again. Let's keep the task open.

According to the meta page, you are a "Senior Movement Communications Specialist". I think that after 8 years it would be interesting to have a result, and push were it should be pushed to solve this. Who should do it?

Trust me, if my title empowered me to make this happen, it would have happened by now!

I'm probably going to tell you the same thing you've already been told or are aware of. Either develop a grant to do the work required*, getting it worked on via the Community Wishlist Survey, or convincing leadership in Product and Tech that this is a priority over all the other work they are doing.

*It's actually two parts. Making MediaWiki provide oEmbed support, getting it into major CMS platforms like WordPress. If the former happens I could probably make an argument to use some of our Diff development resources to push for the inclusion in WordPress core. That's where I have a smidge of influence. I'm a contributor in that community and know some folks at Automattic. I'm sure they would be on board to having this feature in WordPress' oembeds.

Trust me, if my title empowered me to make this happen, it would have happened by now!

Then, who is responsible for this? Are they aware?

Then, who is responsible for this? Are they aware?

No one is responsible in the sense of currently being tasked with finding a solution to this request (oEmbed support in MediaWiki). If that were the case I'd be pinging them in this discussion. :) Many individual developers are aware given the conversations that have happened over the years. A few of which I've been finding and linking to in order to help your argument that this should be worked on. I can't make anyone do this work and in fact it might be more successful as a request from community than one guy inside the org trying to convince leadership (Which is why I'm trying to empower you to carry this forward! Hint hint). If we can convince someone to work on this on the MediaWiki side, I can make an argument to work on implementing this on the WordPress side of things. For everyone using WordPress, not just Diff.

As far as awareness? Internally, yes. In the past I have tried to make the argument that we should work on this, but only as an individual who doesn't have authority nor budget nor works in the Product and Tech department. Just as someone who wants the same thing you do in this instance. Heck, I even held a session at the 2018 hackathon about it! T187896

Let's limit the scope to make this do-able from the perspective of Diff Admins.


Premising that:

  • this Task is not about "allowing iframe embedding in Diff", since in that case we should set "Wontfix" for the clear reasons listed in https://wordpress.org/plugins/unfiltered-mu/ :( I think WordPress VIP will not do that for us.
  • this task is not about oEmbed, since that is T364479 and we are probably missing pieces from "our" MediaWiki side

So, let's evaluate this plugin, proposed in T364479#9781211

https://wordpress.org/plugins/embed-wikimedia/

It's probably a very good moment to write a kind email to WordPress VIP, to ask some general info about "how to activate that specific plugin in our blog". They would eventually list some security pre-flight checks that we should prepare/fund, or anything other unexpected blocking thing that we are not aware right now. It would be lovely to write such request. It's just 20 minutes of time and it could unlock some next steps.

https://wordpress.com/support/contact/

That's possible. I do test things as a user with the "contributor" role, but perhaps something changed or I wasn't as thorough. I'll test this again. Let's keep the task open.

Ah, you are right @Theklan. Users with the contributor role do not have the 'unfiltered_html' capability. This capability would "Allows user to post HTML markup or even JavaScript code in pages, posts, comments and widgets. Note: Enabling this option for untrusted users may result in their posting malicious or poorly formatted code."

😬 I'm not sure we'd want to enable that, even as we're reviewing every post before publishing. Someone could inadvertently add javascript code to a post that would violate our privacy rules. Such as collecting or sharing data with a third party. Or worse!

I'll have to see if there's a way to modify the filter to allow for <iframes> in a safe manner. There may not be.

Both problems should be solved if the parent issue is solved. We could add videos and images from Commons without HTML and, still, we would not break any security issue.